Options

I need help with bestfriends.pif

Unknown
edited December 2004 in Spyware & Virus Removal
I don't even know how I got it since I didn't click on anything at all yesterday.

Here's my log after running Hijack this
Help would be greatly appreciated!

Here is my log. Can someone please help me with this? Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 12:50:47 AM, on 12/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
«13

Comments

  • New_Guy
    edited December 2004
    Please can somebody help me???
  • New_Guy
    edited December 2004
    Please I need help, my gf clicked on the link by mistake and now she has it to and her internet explorer browser is acting up.
  • TroganTrogan London, UK
    edited December 2004
    Hi!

    I'm not a spyware expert but the entries I say below are spyware so you can get rid of them with HJT.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    O4 - HKLM\..\Run: [System Initialization]

    Delete this file:
    C:\WINNT\system32\msmsgri32.exe
  • New_Guy
    edited December 2004
    Thanks man, gonna do that right now.
  • New_Guy
    edited December 2004
    Trogan_1000 wrote:
    Hi!

    I'm not a spyware expert but the entries I say below are spyware so you can get rid of them with HJT.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    O4 - HKLM\..\Run: [System Initialization]

    Delete this file:
    C:\WINNT\system32\msmsgri32.exe


    How do I delete this file?
    C:\WINNT\system32\msmsgri32.exe[/B
  • New_Guy
    edited December 2004
    I can't even find C:\WINNT\system32\msmsgri32.exe. Am I searching wrong?
  • TroganTrogan London, UK
    edited December 2004
    New_Guy wrote:
    I can't even find C:\WINNT\system32\msmsgri32.exe. Am I searching wrong?

    Make sure you can view hidden files and folders and look again. If not, go in to safe mode and look there. :)
  • New_Guy
    edited December 2004
    How do I view hidden files?
  • TroganTrogan London, UK
    edited December 2004
    Click here and follow the images. When you are finshed make sure to hide the files and folders again.

    If you cannot find the file, it may have been deleted with HJT :)

    Post a new log.
  • New_Guy
    edited December 2004
    I didn't find it, here's the new log


    Logfile of HijackThis v1.98.2
    Scan saved at 1:51:09 PM, on 12/2/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AIM\aim.exe
    C:\WINNT\TEMP\[-]73786.exe
    C:\WINNT\System32\svchost.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

    Does that mean everything is ok now?
  • TroganTrogan London, UK
    edited December 2004
    All lookss good accept this line:

    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?

    I suggest you wait until someone has a proper look. :)
  • New_Guy
    edited December 2004
    Ok thanks man! Can someone take a look at my latest log and this line in particular?


    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?



    Logfile of HijackThis v1.98.2
    Scan saved at 2:00:40 PM, on 12/2/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AIM\aim.exe
    C:\WINNT\TEMP\[-]73786.exe
    C:\WINNT\System32\svchost.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
  • New_Guy
    edited December 2004
    Help??
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited December 2004
    Please post a new hijackthis log and I will look at it now.
  • New_Guy
    edited December 2004
    Here is my new log, please help me.


    Logfile of HijackThis v1.98.2
    Scan saved at 12:29:31 PM, on 12/5/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AIM\aim.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\msgfix.exe
    C:\WINNT\system32\AtiRage4dPro.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
    O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
  • TroganTrogan London, UK
    edited December 2004
    Hi New_Guy.

    Fix these entries with HJT.
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    Do you know what AtiRage4dPro is? If not then remove these entries with HJT.
    O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
    O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe

    Open Task Manager and look for any signs of msgfix.exe and End the process, then go here C:\WINNT\system32\msgfix.exe and delete the file msgfix.exe. There should be 5.

    Post a new log
  • SpywareShooterSpywareShooter 127.0.0.1
    edited December 2004
    ATI Rage3d Pro is hardware related. Do not fix those entries.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited December 2004
    C:\WINNT\system32\msgfix.exe is a worm. Follow the instructions on this page for removal.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.sn.html

    As for the rest of your log, you can remove both 016's. But as SpywareShooter said, don't remove the 04's. The rest of your log looks good.
  • New_Guy
    edited December 2004
    The away message from bestfriends started again.
  • New_Guy
    edited December 2004
    New log

    http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
  • New_Guy
    edited December 2004
    Trogan_1000 wrote:
    Hi New_Guy.

    Fix these entries with HJT.
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    Do you know what AtiRage4dPro is? If not then remove these entries with HJT.
    O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
    O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe

    Open Task Manager and look for any signs of msgfix.exe and End the process, then go here C:\WINNT\system32\msgfix.exe and delete the file msgfix.exe. There should be 5.

    Post a new log


    I found 3 of them in the task manager but only could delete one of them. I stll can't find this C:\WINNT\system32\msgfix.exe. How do I search for it?
  • New_Guy
    edited December 2004
    Buckeye_Sam wrote:
    C:\WINNT\system32\msgfix.exe is a worm. Follow the instructions on this page for removal.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.sn.html

    As for the rest of your log, you can remove both 016's. But as SpywareShooter said, don't remove the 04's. The rest of your log looks good.

    I also can't use my symantec program. I had to uninstall because it just froze. I couldn't update nor could I go to symantec's home pages for some reason.
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    Start hijackthis and go to config\misc tools\delete a file on reboot and paste in; C:\WINNT\system32\msgfix.exe and reboot. Check to see if the file is still in task manager.
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    You need to stick to one thread too.

    http://www.short-media.com/forum/showthread.php?t=24478
  • New_Guy
    edited December 2004
    I ran the Panda scan free acitve scan and this i what was disinfected

    Incident Status Location

    Virus:Trj/Qhost.gen Disinfected C:\RECYCLER\S-1-5-21-1004336348-813497703-1708537768-1000\Dc1
    Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts
    Virus:Trj/Delshare.I Disinfected C:\WINNT\Temp\secure.bat

    However I restarted my computer and now I can't access symantec again.
  • New_Guy
    edited December 2004
    New log

    ogfile of HijackThis v1.98.2
    Scan saved at 10:15:59 AM, on 12/6/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINNT\system32\AtiRage4dPro.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\mozilla.org\Mozilla\mozilla.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transfandom.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATI Rage3d Pro] AtiRage4dPro.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
    O4 - HKLM\..\RunServices: [ATI Rage3d Pro] AtiRage4dPro.exe
    O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
    O4 - HKCU\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
  • New_Guy
    edited December 2004
    Can someone please help? I'm going home this Friday for vacation from college and I need to fixed or else the school networking will disable my infected computer. Please help.
  • SpywareShooterSpywareShooter 127.0.0.1
    edited December 2004
    Boot into Safe Mode then do the following:

    O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
    O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
    O4 - HKCU\..\Run: [Kaspersky Antivirus] KasperskyAV.exe

    Fix those entries then find and delete kasperskyAV.exe, boot back into normal mode, and post a new log.
  • New_Guy
    edited December 2004
    I'm doing it now.
  • New_Guy
    edited December 2004
    How to I find kasperskyAV.exe
Sign In or Register to comment.